Php html+SQL查询搜索
我正在尝试根据Php html+SQL查询搜索,php,html,mysql,sql,Php,Html,Mysql,Sql,我正在尝试根据 <select multiple=multiple name="chkUnr[]"> 我通过运行代码从select中获取值: for($i=0;$i<count($_POST["chkUnr"]);$i++) { if($_POST["chkUnr"][$i] != "") { $search
<select multiple=multiple name="chkUnr[]">
for($i=0;$i<count($_POST["chkUnr"]);$i++)
{
if($_POST["chkUnr"][$i] != "")
{
$search_country = $_POST["chkUnr"][$i];
}
$query = "";
$query .= "SELECT users.* FROM users";
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
$query .= " LEFT JOIN online ON online.user_id = users.id";
}
$query .= " WHERE";
if (isset($_POST['vip']) ? $_POST['vip'] : 0 == 1) {
$query .= " users.vip = 1 AND";
}
if (isset($_POST['profile_image']) ? $_POST['profile_image'] : 0 == 2) {
$query .= " users.profile_image = '2' AND";
}
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
$query .= " online.is_online = 1 AND";
}
$query .= " (id NOT IN (SELECT user_id FROM users_blocked WHERE blocked_id = '$user_id')) AND";
$query .= " (users.user_age >= '$age_from' AND users.user_age <= '$age_to') AND";
$query .= " (users.gender = '$gender_search') AND";
$query .= " users.country IN ('$search_country')";
$search_query = mysql_query($query);
}
$search_country = implode(',',array_unique($_POST["chkUnr"]));
$query = "";
$query .= "SELECT users.* FROM users";
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
$query .= " LEFT JOIN online ON online.user_id = users.id";
}
$query .= " WHERE";
if (isset($_POST['vip']) ? $_POST['vip'] : 0 == 1) {
$query .= " users.vip = 1 AND";
}
if (isset($_POST['profile_image']) ? $_POST['profile_image'] : 0 == 2) {
$query .= " users.profile_image = '2' AND";
}
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
$query .= " online.is_online = 1 AND";
}
$query .= " (id NOT IN (SELECT user_id FROM users_blocked WHERE blocked_id = '$user_id')) AND";
$query .= " (users.user_age >= '$age_from' AND users.user_age <= '$age_to') AND";
$query .= " (users.gender = '$gender_search') AND";
$query .= " users.country IN ('$search_country')";
$search_query = mysql_query($query);
这里的问题以及另一个答案的问题是in子句被引号包围,因此不会产生我们想要的结果。我们需要有效地将数组传递给查询。您的代码也容易受到sql注入的攻击。我强烈建议转到PDO/准备好的声明。我给这些国家增加了一点保护,但这无论如何都不是万无一失的
function prepareForSql($value, $key) {
return addslashes($value);
}
array_walk($_POST["chkUnr"], "prepareForSql");
$search_country = "'" . implode("','", $_POST["chkUnr"]) . "'";
$query = "";
$query .= "SELECT users.* FROM users";
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
$query .= " LEFT JOIN online ON online.user_id = users.id";
}
$query .= " WHERE";
if (isset($_POST['vip']) ? $_POST['vip'] : 0 == 1) {
$query .= " users.vip = 1 AND";
}
if (isset($_POST['profile_image']) ? $_POST['profile_image'] : 0 == 2) {
$query .= " users.profile_image = '2' AND";
}
if (isset($_POST['singles_online']) ? $_POST['singles_online'] : 0 == 1) {
$query .= " online.is_online = 1 AND";
}
$query .= " (id NOT IN (SELECT user_id FROM users_blocked WHERE blocked_id = '$user_id')) AND";
$query .= " (users.user_age >= '$age_from' AND users.user_age <= '$age_to') AND";
$query .= " (users.gender = '$gender_search') AND";
$query .= " users.country IN ($search_country)";
$search_query = mysql_query($query);
var_dump$_POST是什么样子的?对不起,我不知道它是什么,也不知道它应该在哪里。$search_country=introde',',array_unique$_POST[chkUnr];如果我选择瑞典和克罗地亚,输出结果是:克罗地亚,瑞典克罗地亚,瑞典搜索结果:0人发现如果你仔细看,我没有使用。。。不需要了,是的,现在好多了。但如果我选择一个国家,我现在就得到了结果。但当选择多个国家时,结果为0。知道为什么吗?这个解决方案有效,但需要修改代码:$search\u country需要先修改为:$search\u country=。内爆“,”,$_POST[chkUnr];